FR2864392A1 - Intrusion sensing probe alarm set classifying process for use in information security system, involves constructing lattice for each alarm originated from intrusion sensing probes, and merging lattices to form general lattice - Google Patents

Abstract

The process involves organizing attributes of each attribute domain into a hierarchical structure comprising several levels. A lattice is constructed for each alarm originated from intrusion sensing probes (11a-11c) according to the structure. The lattices are iteratively merged to form a general lattice. Alarms that are pertinent and general are identified to produce synthetic alarms for an output unit of an alarm management system. An independent claim is also included for a computer program implementing a process for classifying alarm sets.

Description

Background of the invention

  The invention relates to a method for automatic classification of a set of alerts from intrusion detection probes.

  The security of information systems involves the deployment of IDS intrusion detection systems with intrusion detection probes that issue alerts to alert management systems.

  Indeed, intrusion detection probes are active components of the intrusion detection system that analyze one or more data sources looking for events that are characteristic of intrusive activity and issue alerts to management systems. alert. An alert management system centralizes the alerts from the probes and possibly performs an analysis of all these alerts.

  Intrusion detection probes generate a very large number of alerts that can include several thousand per day depending on configurations and the environment.

  Excess alerts can result from a combination of several phenomena. First, false alerts account for up to 90% of the total number of alerts. Then the alerts are often too granular, that is to say that their semantic content is very poor. Finally, alerts are often redundant and recurrent.

  The upstream processing of alerts at the management system level is therefore necessary to facilitate the analysis work of a security operator. This treatment consists in correlating the alerts, it is to 2864392 2 to reduce the overall amount of alerts, while improving their semantics. This can be done by unsupervised classification of alerts.

  The purpose of the unsupervised classification is to split the alert space into several classes taking into account the variables that characterize them.

  In this field of application, the alerts that are the subject of the classification are described by essentially qualitative and structured variables.

  Qualitative and structured variables are variables belonging to discrete domains each of which is provided with a partial order.

  Classification methods for structured qualitative variables are called conceptual classifications.

  A conceptual classification method is proposed by R.S. Michalsky and R.E. Stepp, in a publication entitled "Learning from Observation: Conceptual Clustering", in the journal "In Machine Learning: An, Artificial Intelligence Approach", published in 1993.

  This method constructs a conceptual hierarchy from a set of data downwards, by determining a partition of a complete set of data into several disjoint classes.

  The approach used in this method of Michalsky is therefore unsuited to the classification of alerts, since it partitions all the data and is unable to integrate new data without having to be reset.

  Indeed, the databases of alerts are highly dynamic because there can be several new alerts per second.

  Another conceptual classification method is proposed by D.H. Fisher, in a publication of a doctoral dissertation entitled "Knowledge Acquisition via Incremental Conceptual Clustering", at the Department of Information and Computer Science, University of California, published in 1987.

  Fisher's method is an incremental conceptual classification, which does not require prior knowledge of the number of classes desired. On the other hand, this method is used for nominal variables.

  Other methods derived from the Fisher method support structured data. The structure of the hierarchy obtained by these methods is strongly dependent on the order of insertion of the data. In addition, Fisher's approach produces a partition of all data.

  In addition, Manganaris and in a publication at the 2nd International Workshop on Recent Advances in Intrusion Detection 1999, entitled "A Data Mining Analysis of RTID Alarms", propose to model a tolerated behavior of an information system using alerts provided by intrusion detection tools. The use of IDS intrusion detection systems in an operational environment shows that the least frequent alerts are usually the most suspicious.

  According to this model, recurring alerts are considered to be either false alerts due to the normal behavior of information system entities, but which seems intrusive from the point of view of IDS systems, that is entity failures.

  Another method of alert classification is proposed by K. Julisch, in a publication of Proceedings of the 17th ACSAC in 2001, entitled "Mining Alarm Clusters to Improve Alarm Handling Efficiency". This method proposes a generalization of alerts to highlight groups of alerts more relevant than each alert taken individually.

  2864392 4 The method used by Julisch is a modification of another known method proposed by Han et al, published in Advances in Knowledge Discovery and Data Mining, AAAI Press in 1996 under the title "Exploration of the Power of Attribute-Oriented Induction". Data mining ".

/ Mit Press, 1996.

  Briefly, the method used by Han consists in generalizing structured variables. The domain of each variable has a partial order represented by a tree hierarchy, whose level of abstraction or generalization is increasing from the leaves to the top of the hierarchy.

  Hall's method is iterative. Each iteration consists of choosing an attribute and generalizing the value of the attribute of each individual, according to the hierarchy associated with it. Variables that become equal after a generalization are merged. The overall number of variables therefore decreases with each iteration. The process stops when the number of variables falls below a given threshold.

  This stopping criterion is not satisfactory because one can not know a priori how many groups of alerts it is desirable to present to the security operator. In addition, the generalized alerts obtained may be over-generalized and their interest limited. The difficulty of the approach is therefore to find a good compromise between a significant reduction in the number of alerts and the maintenance of their relevance.

  So, the change made by Julisch consists of removing from the set of alerts submitted to the generalization process any generalized alert whose number of underlying alert instances exceeds a given threshold.

  In order to avoid the over-generalization phenomenon, the generalization performed on the remaining generalized alerts is canceled, and the process is reiterated with another attribute.

  The disadvantage of this method is that it does not identify relevant generalizations that might have occurred if the alerts provided to the security operator had been retained for the following generalizations. In addition, the nature of the generalized alerts obtained depends on the order of attributes that is based on heuristics.

  Finally, the Julisch method is not incremental and the generalization process must be reset each time the security operator requests.

  OBJECT AND SUMMARY OF THE INVENTION The object of the invention is to remedy these drawbacks, and to provide a simple method for unsupervised classification of alerts from intrusion detection probes to generate the most general and the most general synthetic alerts. with a global vision of all alerts and fully automatically.

  These goals are achieved through a method of automatically classifying a set of alerts from intrusion detection probes of an information security system to produce synthetic alerts, each alert being defined by a plurality of alerts. qualitative attributes belonging to a plurality of attribute domains each of which is provided with a partial order relationship, characterized in that it comprises the following steps -organizing the attributes belonging to each attribute domain into a hierarchical structure comprising several levels defined according to the partial order relationship of the attribute domain, the plurality of attribute domains thus forming a plurality of hierarchical structures; construct, for each alert issued by the intrusion detection probes, a lattice specific to this alert by generalizing each alert according to each of its attributes and at all levels of the hierarchical structure, the lattice 2864392 containing its own nodes corresponding to alerts, interconnected by arcs so that each node is linked to one or more parent nodes and / or one or more child or descendant nodes; iteratively merging into a general lattice, each of the lattices being clean; -identify in the general lattice synthetic warnings by selecting the alerts that are both the most relevant and the most general according to statistical criteria and according to the membership of their attributes at lower levels of the hierarchical structures; and -produce the synthetic alerts to an output unit of an alert management system in order to present a global view of all the alerts issued by the intrusion detection probes.

  Thus, the method according to the invention is an incremental method and provides potentially non-disjoint alert classes.

  According to a first aspect of the invention, the construction of a clean lattice comprises the following steps: retrieve for any generalizable attribute of a given alert, the generalized value of this attribute from its hierarchical structure to form a new alert more general than the said alert; - add a new node to the clean mesh corresponding to the new alert and add an arc from the new node of the new alert to the node of the given alert; -adding missing arcs from the parent nodes of the given alert, resulting from the generalization of the alert given according to its other attributes, to the node of: a new alert.

  According to a second aspect of the invention, the merging of a given clean trellis in the general trellis comprises the following steps: selecting a first node corresponding to a first alert belonging to the given clean trellis, and a second node corresponding to a second alert belonging to the general trellis; -delete all the arcs coming from the parent nodes of a child node of the first node if said child node also belongs to the general lattice, -add to the general lattice said child node and all of its descendants if said child node does not belong to the general lattice.

  According to a third aspect of the invention, a relevant alert is identified when each of the sets of child nodes of the relevant alert resulting from a specialization of this alert according to each of its attribute domains is homogeneous, and when the number of elements comprising said each set of child nodes of the relevant alert is greater than a threshold value.

  Advantageously, the synthetic alerts are associated with different groups of alerts from the probes so that these groups are not necessarily mutually exclusive.

  The plurality of attribute domains may include domains from the following sets: set of attack identifiers, set of attack sources, set of attack targets, and set of attack dates.

  The invention is also directed to a computer program designed to implement the above method, when executed by the alert management system.

Brief description of the drawings

  Other features and advantages of the invention will become apparent on reading the description given below, by way of indication but not limitation, with reference to the accompanying drawings, in which: - Figure 1 is a very schematic view of an information security system comprising an alert management system according to the invention; FIG. 2 is a flow chart for the formation of a clean mesh according to the invention; Figure 2A shows very schematically the mechanism of Figure 2; FIG. 3 is a flow diagram of the fusion of a clean lattice in a general lattice according to the invention; FIGS. 3A and 3B show very schematically the mechanism of FIG. 3; FIG. 4 is a selection flow chart of the synthetic alerts according to the invention; FIG. 5 very schematically shows an alert associated with different synthetic alerts according to the invention; FIGS. 6A to 6C show very schematically simplified hierarchies associated with the different attribute domains of the alerts according to the invention; and FIG. 7 illustrates a general lattice associated with two generalized alerts according to the hierarchies of FIGS. 6A to 6C.

  Detailed description of embodiments

  FIG. 1 illustrates an example of an intrusion detection system 1 connected through a router 3 to an external network 5 and to an internal network 7a and 7b with a distributed architecture.

  The intrusion detection system 1 comprises several intrusion detection probes 11a, 11b, 11c, and an alert management system 13. Thus, a first intrusion detection probe 11a monitors the alerts coming from the intrusion detection system 11. outside, a second probe 11b monitors a portion of the internal network 7a comprising work stations 15 and a third probe 11c monitors another portion of the internal network 7b comprising servers 17 delivering information to the external network 5.

  The alert management system 13 may comprise a host 5 dedicated to the processing of alerts, a database 21, and an output unit 23.

  Thus, the probes 11a, 11b, 11c deployed in the intrusion detection system 1 send (arrows 26) their alerts 25 to the alert management system 13. The latter, in accordance with the invention, proceeds to an automatic classification. of this set of alerts and sends synthetic alerts to the output unit 23 to present a global view of all alerts from the intrusion detection probes 11a, 11b, 11c.

  Indeed, the host 19 of the warning management system 13 includes processing means for automatically sorting the alerts and storing this classification in the form of trellises in the database 21.

  Thus, a computer program designed to implement the present invention can be executed by the alert management system.

  Alerts and in a general way, the data that can be the object of a conceptual classification are n-tuples of attributes E Al x ESE x Ai x ... x An, Ai being a discrete set provided with 'a partial order relation <Ai defining the domain of the attribute ai.

  The partially ordered sets can be represented by a Hasse diagram, ie by a directed acyclic graph or a hierarchical structure G = (Ai, cover (- <Ai)) whose set of nodes consists of the elements of Ai and the set of arcs is constituted by the cover of the partial order relationship.

  In the present embodiment, we restrict the attribute hierarchies to balanced trees: each attribute value has at most one parent and the distance of the leaves at the top of the tree is a constant. However, the present invention can easily be adapted to more elaborate hierarchies.

  A hierarchical structure can be considered as a tree structure where the ancestor of an element b is an element a such that b - Ai a. In this case we say that the element a is more abstract or more general than the element b, and conversely, we say that the element b is more specific than the element a.

  In particular, the element a is a direct ancestor of b si (a, b) E cover (<AI), that is, if there is not an intermediate element g between the elements a and b, or formally if b - <Ai a and (3g / (g - <Ai a and b <Ai g)).

  The most specific elements of an attribute domain Ai, forming a hierarchical structure, define what are called the leaves of this hierarchical structure. Thus, a sheet f is an element f E Ai such that Og E A, such that g BAI f.

  Each attribute has a level of abstraction or generalization, defined by an integer corresponding to the height of the attribute in the hierarchical structure. Level 0 is assigned to the root of the hierarchy, that is, to the most general set of elements. The level of abstraction or generalization of any element is worth the level of abstraction of its direct ancestor increased by the value 1.

  Thus, each alert can be defined by a plurality of qualitative attributes (al, ... ai, ... an) belonging to a plurality of attribute domains (A1, ..., Ai, ... An). each of which has a partial order relationship.

  The attributes belonging to each attribute domain Ai can therefore be organized into a hierarchical structure comprising several levels defined according to the partial order relation of the attribute domain. Then, the plurality of attribute domains (A1, ..., Ai, ... An) form several hierarchical structures.

  In a general way, we will speak of concept to designate any element of Al x ... x An. Moreover, non-generalized concepts, that is to say the concepts whose attributes belong only to leaves of hierarchies are called individuals. Thus, alerts from the intrusion detection probes 11a, 11b, 11c can be considered as individuals that are the subject of the classification.

  The objective of the classification according to the invention is to identify relevant concepts by performing successive generalizations on the attributes of the individuals, according to their partial order relationship.

  The concepts to be classified are structured in a lattice T = (C, R) where R ç C x C, and C is the set of nodes of the lattice corresponding to the concepts. Thus, in a lattice the notion of concept can be confused with that of the node.

  There is a link (c1, c2) E R from node c1 to node c2 if c1 is derived from the abstraction or generalization of c2 according to any attribute. We denote T (cl) = {c2 E CI (c2, c1) E R} the set of parent nodes of node c1. Similarly, we denote.L (c1) = {c2 E CI (c1, c2) E R} the set of child nodes of c1.

  The subset.LA (c) of the set, 1, (c) is the set of child nodes of c, resulting from the specialization of c according to the attribute domain Ai.

  Similarly, the subset TAi (c) of the set 1 '(c) is the set of parent nodes of c, resulting from the generalization of c according to the attribute domain Ai.

  Note that the relation Ai can be considered as a function when the hierarchical structure is a tree structure. Thus, we can define a partial order relation <on the set of concepts in the following way: QE CHC c2 + 3Ai, ci [Ai] Ai c2 [Ai: cl <VAj, and [Ai] Aie2 [Aj] where c [Ai] denotes the attribute belonging to the attribute domain Ai of the concept c.

  This partial order relation allows to construct for each individual i, in particular for each alert resulting from the intrusion detection probes, a lattice specific to this alert by generalizing each alert according to each of its attributes and at all levels of security. the hierarchical structure.

  Formally, if i = (al, ..., an) is an individual, the proper lattice Ti = (Ci, Ri) associated with the individual i is defined as follows: Ci = (cl,

  .cn) EA1x ... An / aA3c} Ri =., Ck) E Cl x Cl / a! Al / (ci [Al], ck [Al]) E cov er (- <Al) VAm Al, ci [Am] = ck [Am] Thus, a general lattice containing all the concepts can be constructed by successive additions clean lattices ... DTD: The insertion of an individual into the general lattice is done by merging the lattice proper to the individual with the general lattice.

  Formally, given the set of individuals, the general lattice T = (C, R) is defined as follows: C = UCi and R = URi iEI iEl 2864392 13 Thus, a clean lattice can be constructed for each alert issued from the intrusion detection probes 11a, iib, 11c. This clean lattice therefore comprises nodes corresponding to alerts, interconnected by arcs so that each node is linked to one or more parent nodes and / or one or more child or descendant nodes.

  Next, each of the clean lattices associated with the alerts from the intrusion detection probes may be iteratively fused into the general lattice.

  Finally, synthetic warnings can be identified in the general lattice, by selecting the alerts that are both most relevant and general according to statistical criteria and according to the membership of their attributes at lower levels of the hierarchical structures.

  Indeed, Figures 2 to 4 show flowcharts illustrating the formation of the lattice specific to a given individual, the merger of a given lattice in the general lattice, and the selection of relevant and general concepts.

  The flowchart in Figure 2 shows the formation of a lattice specific to a given individual. More particularly, it shows the construction of a proper lattice Ti = (Ci, Ri) being developed in the vicinity of a given given concept or alert.

  Thus, in step E0, we define the given concept c = (al, ..., an) as well as the index 1 corresponding to the index of the attribute from which the generalization is implemented, knowing that the generalizations according to the lower index attributes are considered to correspond to concepts that have already been added to the proper lattice Ti during previous recursive calls.

  The steps E1 to E3 are a main loop that iterates over the attribute indices according to which the node given as a parameter, at the step 2864392 14 E0, will be generalized. Iteration is done for all indices k between Z and n and for all attributes ak generalizable.

  Thus, for any attribute ak that can be generalized from its hierarchical structure, the function genAtt (c, k) is calculated in step E2, which retrieves the value of the attribute that generalizes that of ak to form a concept p. corresponding to the generalization of the concept c according to the index k.

  This generalized concept p is added to the lattice Ci = Ci U p and an arc is added going from the concept c to the concept p, that is to say Ri = RiU {(p, d.

  Step E3 is an internal loop that adds the missing arcs from the parent nodes of the concept c, resulting from the generalization of c according to all the attributes of index less than or equal to k, that is to say Ri = Ri U {(i'4 "Ah (c), p)}.

  Step E4 is a recursive call where the flowchart is applied for new parameters.

  Thus, the algorithm of the formation of a proper lattice for a given concept c can be described as below: Algorithm: Clean lattice Data: The concept c = (al, ..., an), the index l of the attribute from which to generalize, the lattice Ti = (Ci, Ri) being developed.

  for k E [Z; n] do If ak is generalizable, then p = genAtt (c, k) Ci = CiUp Ri = RiU {(p, c)} for he [o, k] make Ri = RiU {(TAktAh (c), p) } end end Own lattice (p, k, Ti) end. More particularly, FIG. 2A shows an example of the construction of the own lattice 31 from a given alert corresponding to a given node A according to the second attribute of the node A. In other words, from the call parameters (c = A, k = 1, Ti = Tc). Generally speaking, for any generalizable attribute of the given alert, the generalized value of this attribute is retrieved from its hierarchical structure to form a new alert that is more general than the alert given.

  According to this example, at step k = 2 of the algorithm, a new node D corresponding to the new alert formed according to the generalization of the second attribute of node A, is added to the lattice and an arc (D, A ) from the new node D of the new alert to the node A of the given alert.

  Then missing arcs from the parent nodes of the alert A given at node D of the new alert are added. The parent nodes of the given alert come from the generalization of the alert given according to its other attributes.

  According to this example, at the previous iteration (k = 1), the vertex lattice B has been constructed. The generalizations of D according to attributes whose index is less than k have already been added, in this case C, for k = 1. Thus, only the missing arc (C, D) is added.

  The algorithm is re-executed recursively with parameters (D, 2, T).

  In a general way, the lattice specific to an individual i = (al, ..., an) is obtained by calling the lattice algorithm Clean (c = i, k = 1, Ti = il, {})) , knowing that initially, the clean lattice associated with node i is formed of a single node and the set of arcs is still empty.

  The flowchart of FIG. 3 shows the fusion of a given clean lattice in the general lattice.

  In step E10, the initialization parameters are defined. In particular, it is selected a first node corresponding to a first alert or concept h belonging to the own lattice Ti = (Ci, Ri), and a second node corresponding to a second alert or concept g belonging to the general lattice T = (C, R).

  The main loop between the steps E11 and E14 or E15, iterates on the set of child nodes of the node h of the proper lattice passed in parameter, that is to say for hi E (h).

  Thus, in step E11 a child node hi of the first node h is chosen.

  In step E12, it is checked whether this child node hi of the first node h also belongs to the general lattice. In other words, we check if 3gi e4, (g) such that gi = hi.

  If so, all the arcs from the parent nodes of this child node are deleted Ri = Ri 1 '(h) in step E13, before proceeding to step E14.

  Indeed, the following proposition says that if a node hi of a proper lattice already exists in the general lattice, then all of its parents are also there, that is to say: (hi ECi A gk C, hi = gk) T (h) çC.

  Step E15 is a recursive call where the flowchart is reapplied from step E11 but for new parameters.

  Indeed, the children of the hi node are not necessarily in the general lattice, so we must recursively execute the algorithm on this hi node.

  On the other hand, if the child node does not belong to the general lattice, then it suffices to add thereto T = T U Th1 as well as all of its descendants in step E15 before returning to step E11.

  The contraposition of the previous proposition assures us that there will be no duplication of nodes. Thus, the algorithm for the fusion of a trellis-specific lattice 10

  General can be described as below: Algorithm: Fusion Lattice Data: A concept g of the general lattice T = (C, R), a concept h of the lattice Ti = (Ci, Ri) of / individual i for each hi concept EL (h) do if 3gi 4 (g) te / that gi = hi then Ri = Ri- T (hi) Fusion Lattice (g, / hi) end otherwise Ri = Ri - t (h, hi T = TUThi The FIGS. 3A and 3B schematize the mechanism for fusing a lattice specific to the general lattice, according to the flowchart of FIG. 3.

  In these two FIGS. 3A and 3B, the left trellis portion belongs to the general trellis and the right trellis portion belongs to the trellis that one wishes to merge. Grayed out nodes are the calling parameters of the algorithm. They are equal, by hypothesis (A = A ').

  According to Figure 3A, one of the children B 'of A' is already present in A (B '= B). The links 41, 43, and 45 to the immediate ancestors of B 'end end.

  2864392 18 are deleted because we know that they are already in the general lattice. The algorithm is then called recursively on Bet B '.

  According to FIG. 3B, the node C does not exist as a child of A, then a link 47 (in dashed lines) is created between A and C, and the link 49 which links C to A 'is deleted. The sub-lattice with vertex C is therefore integrated into the general lattice.

  The algorithm is called with as arguments the vertices of the lattice specific to the individual to be inserted and the vertex of the general lattice. As all the lattices have the same vertex corresponding to the most general node, the assumption that the concepts passed in arguments to the algorithm are equal is respected.

  The flowchart in Figure 4 shows the identification of synthetic alerts or concepts providing a set P of alerts or concepts that are both the most relevant and the most general of an alert or concept c.

  An alert or concept c is relevant if each set (c) is homogeneous and sufficiently large.

  A set of alerts or concepts is homogeneous if the dispersion of the number of individuals covered by each concept is not too great. For this purpose, a coefficient of variation is used in a known manner.

  A set.1-Ai (c) is sufficiently large if the number of elements that compose it is greater than a threshold value linked to the level of abstraction or generalization of the attribute Ai of c. Formally: ## EQU1 ## where the function p (c) denotes a Boolean function indicating whether a node is relevant; FA, is the set of individuals covered by each concept of Ai (c); mF is the average of FA,; 6F its At variance; and zeAI represents the threshold value related to the abstraction level of the attribute domain Ai of c.

  The number of individuals covered by a concept is a value related to each node of the lattice and updated upon the merger of a clean lattice associated with an individual with the general lattice.

  Thus, an alert is said to be relevant if each of the sets of child nodes of the relevant alert c resulting from the specialization of this alert c according to each of its attribute domains is homogeneous, and if the number of elements composing each of the sets child nodes of the relevant alert c is greater than a threshold value.

  Step E20 of the flowchart of FIG. 4 corresponds to the definition of the call parameters. These parameters comprise a concept c of the general lattice T = (C, R), a set P of the relevant concepts previously found, and an integer t used for the tracing of the lattice.

  Step E21, is a test to check the relevance of c. So if the concept c is relevant, then we go to the step E22, where the concept c is added to the set P of the relevant concepts P = PU {c}, and the set of more specific concepts than c possibly added previously are removed from the set P, that is to say P = P {c1 EP / ci ac}. Indeed, we search for the most abstract concepts, while being relevant.

  On the other hand, if c is not relevant, then the algorithm is applied recursively, at the steps E23 on all the children of c resulting from the specialization of c according to the attributes of indices i greater than or equal to t , that is, and e (c), knowing that the other attributes have already been analyzed.

  When the algorithm ends, a list including the concepts considered relevant and general is provided to the output unit 23 of the warning management system 13 so that a security operator can have a global view of all alerts. If the latter wants details on any concept c that he deems too abstract, then the algorithm is re-executed on all the children of this concept c.

  Thus, the algorithm for identifying synthetic concepts can be described as below: Algorithm: Synthetic Data: A concept c of the general lattice T = (C, R), a set P of the relevant concepts previously found an integer t used for the lattice path if p (c) then P = P {c EP / ci ac} P = PU {c} end otherwise for E [t, n] for each element c1 E.1, Ai (c) Synthetics (ci, P, 1) end fine end Note that synthetic alerts are associated with different groups of alerts from the probes so that these groups are not necessarily mutually exclusive.

  Indeed, Figure 5 very schematically shows an alert associated with different synthetic alerts.

  Alarms Al to A6 emitted by the intrusion detection probes are the sheets of the general lattice. The alert group associated with a general alert is the set of sheets accessible from this general alert.

  Thus, the alert group Al23 is associated with the synthetic alert S1 and the alert group A34 is associated with the synthetic alert S2. On the other hand, the A4 to A6 alerts are associated with an A7 general alert which is not a synthetic alert.

  Given the very structure of the lattice, the groups of alerts are not mutually exclusive. Thus, the alert A3 participates in two phenomena, that is to say two different warning groups Al23 and A34.

  Alerts from intrusion detection probes are individuals defined by a plurality of attributes belonging to a plurality of attribute domains. Attribute domains can include a set of alert identifiers, a set of attack sources, a set of attack targets, and a set of attack dates.

  FIGS. 6A to 7 show a simplified example of classification of a set of alerts originating from intrusion detection probes.

  According to this example, the alerts are triplets (name, src, dst) EN x S x D, where N represents the set of alert identifiers, S represents the set of attack sources, and D represents the set of attack targets. In other examples, the alerts could consist of other types of attributes, or the same but with domains defined differently.

  At the lowest level of abstraction, the alert identifiers are the signature identifiers of the SnortTM intrusion detection tool. The higher level of abstraction consists of the attack classes defined by SnortTM. The higher level of abstraction consists of a single element, any.

  Indeed, Figure 6A shows a simplified hierarchy associated with the domain of the set of identifiers. The first level of abstraction or generalization Nil has the elements alti and att2. The second and third levels of generalization N12, N13 include the elements web-attack and any respectively.

  At the lowest abstraction level, the attack sources are IPv4 type addresses. The higher level of abstraction consists of network domain names managed by IANATM and its local branches (RIPE, APNIC, ARIN, etc.). IP addresses not registered in the IANATM database or public addresses internal to the monitored information system or private IP addresses are abstract in CIDR type notation (eg 192.168.0.0/24). The upper level may consist of two elements, external and internal to designate the exterior and interior of the information system 15. The next level of abstraction consists of a single element, any.

  The example in Figure 6B shows a simplified hierarchy associated with the domain of the set of attack sources. The first level of abstraction or generalization with the elements 192.168.0.1 and 192.168.0.33. The second and third levels of generalization include the elements internai and any respectively.

  At the lowest level of abstraction, attack targets are the public and private IP addresses of the information system. The next level of abstraction is network addresses in CIDR notation. The next level of abstraction consists of a single element, any.

  Figure 6C shows a simplified hierarchy associated with the domain of the set of attack targets. The first, second, and third levels of abstraction or generalization include the elements 168, 168.0.10, proxy, and any respectively.

  FIG. 7 illustrates a general lattice associated with two Al and A2 alerts defined by A1 (att2, 192.168.0.1, 192.168.0.10) and A2 (attl, 192.168.0.33, 192.168.0.10).

  According to this example and according to the attribute hierarchies of FIGS. 6A to 6C, the attack identifiers are generalized in the webattack attack class and then in any.

  The IP addresses of the attackers are generalized in internai then in any.

  The IP addresses of the victims are generalized according to proxy host, then to any.

  According to this example, there are two separate attackers 192.168.0.1 of Al Alert and 192.168.0.33 of Alert A2 which are internal IP addresses. There is only one victim 192.168.0.10, which is a web proxy.

  The most abstract alert inferred by the system is (any, any, any). The full arrows denote a generalization according to the attribute that corresponds to the attack, the arrows in dashes denote a generalization according to the attribute that corresponds to the attacker, and the dashed arrows denote a generalization according to the attribute that corresponds to the victim.

  At the end of the selection process of the relevant alerts, the system proposes the synthetic alert (web-attack, internai, proxy). Other alerts are either too general or too specific.

Claims (3)

24 CLAIMS   A method of automatically classifying a set of alerts from intrusion detection probes (11a, lib, 11c) of an information security system (1) to produce synthetic alerts, each alert being defined by a plurality of qualitative attributes (al, ..., an) belonging to a plurality of attribute domains (A1, ..., An) each of which is provided with a partial order relation, characterized in that it comprises the following steps: -organize the attributes belonging to each attribute domain into a hierarchical structure comprising several levels defined according to the partial order relation of the attribute domain, the plurality of attribute domains thus forming several hierarchical structures; constructing, for each alert issued by the intrusion detection probes (11a, lib, 11c), a lattice specific to this alert by generalizing each alert according to each of its attributes and at all levels of the hierarchical structure, the lattice comprising nodes, corresponding to alerts, interconnected by arcs so that each node is linked to one or more parent nodes and / or one or more child nodes or descendants; iteratively merging into a general lattice, each of the lattices being clean; -identify in the general lattice synthetic warnings by selecting the alerts that are both the most relevant and the most general according to statistical criteria and according to the membership of their attributes at lower levels of the hierarchical structures; and -producing the synthetic alerts to an output unit (23) of an alert management system (13) in order to present a global view of all the alerts issued by the intrusion detection probes (ila, lib , 11c).   2. A method according to claim 1, characterized in that the construction of a lattice own comprises the following steps: -recover for any generalizable attribute of a given alert, the generalized value of this attribute from its hierarchical structure to form a new alert more general than said alert given; add a new node to the clean mesh corresponding to the new alert and add an arc from the new node of the new alert to the node of the given alert; adding missing arcs from the parent nodes of the given alert, resulting from the generalization of the alert given according to its other attributes, to the node of the new alert.   3. Method according to any one of claims 1 and 2, characterized in that the melting of a given clean lattice in the general lattice 15 comprises the following steps: - select a first node corresponding to a first alert belonging to the lattice clean given, and a second node corresponding to a second alert belonging to the general lattice; -delete all the arcs coming from the parent nodes of a child node of the first node if said child node also belongs to the general lattice, - add to the general lattice said child node and all of its descendants if said child node does not belong to the general lattice.   4. Method according to any one of claims 1 to 3, characterized in that a relevant alert is identified when each set of child nodes of the relevant alert from a specialization of this alert in each of its areas of attributes is homogeneous, and when the number of elements composing said each set of child nodes of the relevant alert is greater than a threshold value.   5. A method according to any one of claims 1 to 4, characterized in that the synthetic alerts are associated with different groups of alerts from the probes so that these groups are not mutually exclusive.   6. Method according to any one of claims 1 to 5, characterized in that the plurality of attribute domains comprises domains among the following sets: set of alert identifiers, set of attack sources, set of targets attacks, and all attack dates.   7. Computer program characterized in that it is designed to implement the method according to any one of claims 1 to 6 when executed by the alert management system (13).